Merge pull request #2170 from nordic-institute/XRDDEV-2534_globalconf-v4

Xrddev 2534 globalconf v4

.github/workflows/build.yaml

@@ -210,7 +210,7 @@ jobs:
           path: src/security-server/system-test/build/test-results/**/TEST-*.xml
           reporter: java-junit
       - name: Fix system-test build dir permissions
-        run: sudo chown -R $USER src/security-server/system-test/build/ss-container-logs/
+        run: sudo chown -R $USER src/security-server/system-test/build/ss-container-logs/ && sudo chown -R $USER src/security-server/system-test/build/ca-container-logs/
         if: failure()
       - name: Upload SS report
         uses: actions/upload-artifact@v4
@@ -220,6 +220,7 @@ jobs:
           path: |
             src/security-server/system-test/build/allure-report/
             src/security-server/system-test/build/ss-container-logs/
+            src/security-server/system-test/build/ca-container-logs/
             src/security-server/system-test/build/reports/test-automation/selenide-failures/*.png
   RunE2ETests:
     name: Run E2E tests

Docker/centralserver/files/cs-xroad.conf

@@ -50,4 +50,3 @@ autorestart=false
 command=/usr/sbin/cron -f
 user=root
 autorestart=true
-

Docker/securityserver/Dockerfile

@@ -91,4 +91,4 @@ COPY --chown=root:root files/ss-xroad.conf /etc/supervisor/conf.d/xroad.conf
 CMD ["/root/entrypoint.sh"]
 
 VOLUME ["/etc/xroad", "/var/lib/xroad", "/var/lib/postgresql/16/main/"]
-EXPOSE 8080 8443 4000 5432 5500 5577 5558
+EXPOSE 8080 8443 4000 5432 5500 5577 5558 80

Docker/securityserver/files/etc/xroad/conf.d/acme.yml

@@ -0,0 +1,11 @@
+acme:
+  contacts:
+    1234: [email protected]
+  eab-credentials:
+    certificate-authorities:
+      '[Test CA]':
+        mac-key-base64-encoded: true
+        members:
+          1234:
+            kid: 1
+            mac-key: secretkey

Docker/testca/Dockerfile

@@ -1,15 +1,14 @@
-FROM alpine:3.19
+FROM ubuntu:22.04
 
-RUN apk add --no-cache python3 nginx supervisor bash openssl curl \
+RUN apt-get update \
+  && apt-get -qq install --no-install-recommends python3 nginx supervisor bash openssl curl python3-pip uwsgi uwsgi-plugin-python3 \
   # Setup TEST-CA with TSA and OCSP
-  && adduser -D ca && adduser -D -H -G ca ocsp
+  && adduser --disabled-password ca && adduser --disabled-password --no-create-home --ingroup ca ocsp
 
 COPY build/home /home
 COPY build/etc /etc
 COPY build/usr /usr
 
-COPY files/nginx.conf /etc/nginx/nginx.conf
-
 COPY files/init.sh /home/ca/CA/
 COPY files/ca.py /home/ca/CA/
 
@@ -25,9 +24,24 @@ RUN chown -R ca:ca /home/ca/CA \
   && chmod 0754 /home/ca/CA/sign_req.sh
 
 COPY files/ca-entrypoint.sh /root/entrypoint.sh
-COPY --chown=root:root files/supervisord.conf /etc/supervisor/supervisord.conf
 COPY --chown=root:root files/testca.conf /etc/supervisor/conf.d/testca.conf
 
+# ACME
+ARG A2C_VER=0.34
+ADD https://github.com/grindsa/acme2certifier/releases/download/$A2C_VER/acme2certifier_$A2C_VER-1_all.deb /tmp/
+RUN apt update
+RUN apt -y install /tmp/acme2certifier_$A2C_VER-1_all.deb
+RUN sed -i "s/run\/uwsgi\/acme.sock/var\/www\/acme2certifier\/acme.sock/g" /var/www/acme2certifier/examples/nginx/nginx_acme_srv.conf \
+    && sed -i "s/80/8887/g" /var/www/acme2certifier/examples/nginx/nginx_acme_srv.conf \
+    && cp /var/www/acme2certifier/examples/nginx/nginx_acme_srv.conf /etc/nginx/sites-available/acme_srv.conf \
+    && ln -s /etc/nginx/sites-available/acme_srv.conf /etc/nginx/sites-enabled/acme_srv.conf \
+    && sed -i "s/\/run\/uwsgi\/acme.sock/acme.sock/g" /var/www/acme2certifier/examples/nginx/acme2certifier.ini \
+    && sed -i "s/nginx/www-data/g" /var/www/acme2certifier/examples/nginx/acme2certifier.ini \
+    && echo "plugins = python3" >> /var/www/acme2certifier/examples/nginx/acme2certifier.ini \
+    && cp /var/www/acme2certifier/examples/nginx/acme2certifier.ini /var/www/acme2certifier \
+    && usermod -a -G ca www-data
+COPY --chown=www-data:www-data files/acme_srv.cfg /var/www/acme2certifier/acme_srv/acme_srv.cfg
+
 CMD ["/root/entrypoint.sh"]
 
 EXPOSE 8888 8899

Docker/testca/files/acme_srv.cfg

@@ -0,0 +1,42 @@
+[DEFAULT]
+debug: False
+
+[Nonce]
+# disable nonce check. THIS IS A SEVERE SECURTIY ISSUE! Please do only for testing/debugging purposes
+nonce_check_disable: False
+
+[CAhandler]
+# CA specific options
+handler_file: examples/ca_handler/openssl_ca_handler.py
+issuing_ca_key: /home/ca/CA/private/ca.key.pem
+#issuing_ca_key_passphrase:
+issuing_ca_cert: /home/ca/CA/certs/ca.cert.pem
+issuing_ca_crl: /home/ca/CA/crl/ca.crl.pem
+#cert_validity_days: 30
+#cert_validity_adjust: True
+cert_save_path: /home/ca/CA/newcerts
+ca_cert_chain_list: ["/home/ca/CA/certs/ca.cert.pem"]
+openssl_conf: /home/ca/CA/CA.cnf
+#allowed_domainlist: ["foo.bar\\$", "foo1.bar.local"]
+#blocked_domainlist: ["google.com.foo.bar\\$", "host.foo.bar$", "\\*.foo.bar"]
+#save_cert_as_hex: True
+#cn_enforce: True
+
+#[EABhandler]
+#eab_handler_file: examples/eab_handler/kid_profile_handler.py
+#key_file: examples/eab_handler/kid_profiles.json
+
+
+[DBhandler]
+#dbfile: /var/lib/acme/db.sqlite3
+
+[Certificate]
+revocation_reason_check_disable: False
+
+[Challenge]
+# when true disable challenge validation. Challenge will be set to 'valid' without further checking
+# THIS IS A SEVERE SECURTIY ISSUE! Please do only for testing/debugging purposes
+challenge_validation_disable: False
+
+[Order]
+tnauthlist_support: False

Docker/testca/files/testca.conf

@@ -46,3 +46,10 @@ stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
+
+[program:uwsgi]
+directory=/var/www/acme2certifier
+command=/usr/bin/uwsgi --ini /var/www/acme2certifier/acme2certifier.ini
+user=www-data
+group=www-data
+autorestart=true

Docker/xrd-dev-stack/hurl-src/setup.hurl

@@ -28,7 +28,7 @@ Content-Type: application/json
 HTTP 200
 
 
-# Add member class to Central Server
+# Add member classes to Central Server
 POST https://{{cs_host}}:4000/api/v1/member-classes
 X-XSRF-TOKEN: {{cs_xsrf_token}}
 Content-Type: application/json
@@ -37,6 +37,22 @@ Content-Type: application/json
   "description": "Commercial"
 }
 
+POST https://{{cs_host}}:4000/api/v1/member-classes
+X-XSRF-TOKEN: {{cs_xsrf_token}}
+Content-Type: application/json
+{
+  "code": "GOV",
+  "description": "Governmental organisations"
+}
+
+POST https://{{cs_host}}:4000/api/v1/member-classes
+X-XSRF-TOKEN: {{cs_xsrf_token}}
+Content-Type: application/json
+{
+  "code": "ORG",
+  "description": "Non-profit organisations"
+}
+
 HTTP 201
 
 # Log in Central Server token
@@ -124,7 +140,7 @@ Content-Type: application/json
 HTTP 201
 
 
-# Set management subsystem for member 1234 as the management serice for the Central Server
+# Set management subsystem for member 1234 as the management service for the Central Server
 PATCH https://{{cs_host}}:4000/api/v1/management-services-configuration
 X-XSRF-TOKEN: {{cs_xsrf_token}}
 Content-Type: application/json
@@ -143,6 +159,7 @@ X-XSRF-TOKEN: {{cs_xsrf_token}}
 [MultipartFormData]
 certificate_profile_info: ee.ria.xroad.common.certificateprofile.impl.FiVRKCertificateProfileInfoProvider
 tls_auth: false
+acme_server_directory_url: http://{{ca_host}}:8887
 certificate: file,ca/ca.pem;
 
 HTTP 201
@@ -249,6 +266,7 @@ Content-Type: application/json
       "CN": "{{ss0_host}}",
       "C": "FI",
       "O": "Test member",
+      "subjectAltName": "{{ss0_host}}",
       "serialNumber": "DEV/SS0/COM"
     }
   }
@@ -315,9 +333,10 @@ Content-Type: application/json
     "csr_format": "DER",
     "member_id": "DEV:COM:1234",
     "subject_field_values": {
-      "CN": "{{ss0_host}}",
+      "CN": "1234",
       "C": "FI",
       "O": "Test member",
+      "subjectAltName": "{{ss0_host}}",
       "serialNumber": "DEV/SS0/COM"
     }
   }
@@ -359,7 +378,7 @@ HTTP 200
 [Captures]
 ss0_sign_key_cert: body
 
-# Import auth certificate
+# Import sign certificate
 POST https://{{ss0_host}}:4000/api/v1/token-certificates
 X-XSRF-TOKEN: {{ss0_xsrf_token}}
 Content-Type: application/octet-stream
@@ -542,7 +561,7 @@ Content-Type: application/octet-stream
 
 HTTP 201
 
-# Initialize management Security Server
+# Initialize SS1 Security Server
 POST https://{{ss1_host}}:4000/api/v1/initialization
 X-XSRF-TOKEN: {{ss1_xsrf_token}}
 Content-Type: application/json
@@ -580,6 +599,7 @@ Content-Type: application/json
       "CN": "{{ss1_host}}",
       "C": "FI",
       "O": "Test client",
+      "subjectAltName": "{{ss1_host}}",
       "serialNumber": "DEV/SS1/COM"
     }
   }
@@ -646,9 +666,10 @@ Content-Type: application/json
     "csr_format": "DER",
     "member_id": "DEV:COM:4321",
     "subject_field_values": {
-      "CN": "{{ss1_host}}",
+      "CN": "4321",
       "C": "FI",
       "O": "Test client",
+      "subjectAltName": "{{ss1_host}}",
       "serialNumber": "DEV/SS1/COM"
     }
   }
@@ -821,6 +842,148 @@ X-XSRF-TOKEN: {{cs_xsrf_token}}
 
 HTTP 200
 
+# Add TestSaved to SS0
+POST https://{{ss0_host}}:4000/api/v1/clients
+X-XSRF-TOKEN: {{ss0_xsrf_token}}
+{
+  "ignore_warnings": true,
+  "client": {
+    "member_class": "COM",
+    "member_code": "1234",
+    "subsystem_code": "TestSaved",
+    "connection_type": "HTTP"
+  }
+}
+
+HTTP 201
+
+[Captures]
+ss0_test_saved_id: jsonpath "$.id"
+
+# Register TestSaved to SS0
+PUT https://{{ss0_host}}:4000/api/v1/clients/{{ss0_test_saved_id}}/register
+X-XSRF-TOKEN: {{ss0_xsrf_token}}
+
+HTTP 204
+
+# Accept SS0 TestSaved registration
+GET https://{{cs_host}}:4000/api/v1/management-requests?sort=id&desc=true&status=WAITING
+X-XSRF-TOKEN: {{cs_xsrf_token}}
+
+HTTP 200
+
+[Captures]
+ss0_test_saved_req_id: jsonpath "$.items[0].id"
+
+POST https://{{cs_host}}:4000/api/v1/management-requests/{{ss0_test_saved_req_id}}/approval
+X-XSRF-TOKEN: {{cs_xsrf_token}}
+
+HTTP 200
+
+# Add test-consumer to SS1 Security Server
+POST https://{{ss1_host}}:4000/api/v1/clients
+X-XSRF-TOKEN: {{ss1_xsrf_token}}
+{
+  "ignore_warnings": true,
+  "client": {
+    "member_class": "COM",
+    "member_code": "1234",
+    "subsystem_code": "test-consumer",
+    "connection_type": "HTTP"
+  }
+}
+
+HTTP 201
+
+[Captures]
+ss1_test-consumer_id: jsonpath "$.id"
+
+# Add test-consumer sign key to the SS1 Security Server token
+POST https://{{ss1_host}}:4000/api/v1/tokens/0/keys-with-csrs
+X-XSRF-TOKEN: {{ss1_xsrf_token}}
+Content-Type: application/json
+{
+  "key_label": "token-consumer sign key",
+  "csr_generate_request": {
+    "key_usage_type": "SIGNING",
+    "ca_name": "{{ca_name}}",
+    "csr_format": "DER",
+    "member_id": "DEV:COM:1234",
+    "subject_field_values": {
+      "CN": "1234",
+      "C": "FI",
+      "O": "Test Consumer",
+      "subjectAltName": "{{ss1_host}}",
+      "serialNumber": "DEV/SS1/COM"
+    }
+  }
+}
+
+HTTP 200
+
+[Captures]
+test-consumer_sign_key_id: jsonpath "$.key.id"
+test-consumer_sign_key_csr_id: jsonpath "$.csr_id"
+
+# Get the sign key CSR
+GET https://{{ss1_host}}:4000/api/v1/keys/{{test-consumer_sign_key_id}}/csrs/{{test-consumer_sign_key_csr_id}}?csr_format=PEM
+X-XSRF-TOKEN: {{ss1_xsrf_token}}
+
+HTTP 200
+
+[Captures]
+test-consumer_sign_key_csr: body
+
+# Sign the sign key CSR (note that the test CA needs filename so we can't just send it under
+# [FormMultiPart] as we do with the other requests)
+POST http://{{ca_host}}:8888/testca/sign
+Content-Type: multipart/form-data; boundary=certboundary
+```
+--certboundary
+Content-Disposition: form-data; name="type"
+
+sign
+--certboundary
+Content-Disposition: form-data; name="certreq"; filename="sign.csr.pem"
+
+{{test-consumer_sign_key_csr}}
+--certboundary--
+```
+
+HTTP 200
+[Captures]
+test-consumer_sign_key_cert: body
+
+# Import auth certificate
+POST https://{{ss1_host}}:4000/api/v1/token-certificates
+X-XSRF-TOKEN: {{ss1_xsrf_token}}
+Content-Type: application/octet-stream
+```
+{{test-consumer_sign_key_cert}}
+```
+
+
+# Register test-consumer to SS1 Security Server
+PUT https://{{ss1_host}}:4000/api/v1/clients/{{ss1_test-consumer_id}}/register
+X-XSRF-TOKEN: {{ss1_xsrf_token}}
+
+HTTP 204
+
+# Accept SS1 test-consumer registration
+GET https://{{cs_host}}:4000/api/v1/management-requests?sort=id&desc=true&status=WAITING
+X-XSRF-TOKEN: {{cs_xsrf_token}}
+
+HTTP 200
+
+[Captures]
+ss1_test-consumer_req_id: jsonpath "$.items[0].id"
+
+POST https://{{cs_host}}:4000/api/v1/management-requests/{{ss1_test-consumer_req_id}}/approval
+X-XSRF-TOKEN: {{cs_xsrf_token}}
+
+HTTP 200
+
+
 
 # Add Central Server management service to SS0 Security Server
 POST https://{{ss0_host}}:4000/api/v1/clients/{{ss0_test_service_id}}/service-descriptions